Gdpr: how to process personal data in b2b?
Published on 8 March 2018
On May 25, 2018, the GDPR, the new European regulation on the use of personal data, will enter into force. Less than 6 months away from the effective date, it’s time to take a look at the constraints that will soon be imposed on all companies. We decipher the obligations and changes B2B companies can expect.
What is the GDPR ?
The General Data Protection Regulation, or GDPR, is a regulation imposed on a European level that applies as of May 25, 2018 to all companies operating in the EU. Goal: regulate how companies, whether or not physically based in the EU, use customer data. This is a significant strategic challenge for companies because major financial penalties apply in the event of non-compliance (up to 4% of a company’s worldwide turnover).
This new regulation reinforces professional obligations in terms of personal data processing. Unlike the approach initially taken in France by the French data protection agency (CNIL), the GDPR does not impose prior notification. Companies must be able to attest, at all times, their compliance with data protection regulations, most notably by maintaining a record of processing activities.
According to the GDPR, personal data means any information relating to an identified or identifiable natural person: identity, a contact email address, contact details, IP address, etc. All companies with customer databases are thus affected and must, as of now, enter into a transition phase.
Privacy by design/by default: taking personal data protection into account from the get-go
The notions "Privacy by design" and "Privacy by default" reveal the need to consider personal data protection right from the start of project conception. This mechanism also means that only the data necessary for the company to achieve its objectives, which must be clearly conveyed, must be collected and processed.
To comply with the GDPR, the way new information systems are conceived will have to change and certain existing IS will have to be entirely redesigned. "Privacy by design" particularly affects software developers and companies seeking to implement data-driven tools, such as a CRM.
Designating a DPO and notifying of personal data breaches
To facilitate the application of measures in company, the GDPR has created the position of a data protection officer (DPO). Designating a DPO is mandatory in:
- public authorities or bodies;
- companies whose core activities require regular and systematic monitoring of customer data on a large scale;
- companies processing sensitive data.
Companies that are not initially bound by this obligation should also designate a DPO to demonstrate that they have understood the magnitude of data protection challenges.
Designated based on their expertise in law and personal data protection, DPOs take on the role of conductor to govern data protection in the company. Their tasks include:
- informing and advising the controller/processor and the employees who carry out processing or outsourcing of their obligations under this regulation;
- providing advice on the data protection impact assessment;
- acting as the contact point for the supervisory authority in charge of inspecting companies.
In addition to designating a DPO, the GDPR also establishes the obligation to provide notification of data breaches. This obligation falls on the controller/processor who is in charge of notifying the data protection authority of breaches.
Analysis of impact on privacy rights
For all new projects involving the processing of personal data, the instructing party and its controller must first determine if the project will affect the privacy rights of the people involved. If the answer is yes, they must show that the project complies with the notion of "Privacy by design". It is important to highlight that the subcontractor is no longer in charge of doing this prior work, which now falls under the responsibility of the instructing party.
Right to personal data portability
The GDPR also provides the right for individuals to be given back the information concerning them that companies have processed. This data can then be transferred to a third party if needed.
In order for companies to be able to respond to requests for data, they must implement a system for accessing all data collected on an individual. These companies, which may be pharmacies, banks or insurance providers, are now obligated to transmit all data in unencrypted format to the person in question or another controller.
Obligation to inform the customer of the purposes of data collection
This measure, established before the publication of the GDPR, has been made explicit with this regulation. In order to collect personal data, the customer must be aware and freely give his or her specific informed consent. This consent corresponds to a defined purpose and cannot be attributed to a set of applications, no matter how similar they may be.
In order to secure company operations, data collection and processing will have to be standardized, which represents a major investment for marketing departments.